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Abstract —We address the problem of quantifying the cryp¬ 
tographic content of probability distributions, in relation to an 
application to secure multi-party sampling against a passive t- 
adversary. We generalize a recently introduced notion of assisted 
common information of a pair of correlated sources to that of 
K sources and define a family of monotone rate regions indexed 
by K. This allows for a simple characterization of all t-private 
distributions that can be statistically securely sampled without 
any auxiliary setup of pre-shared noisy correlations. We also give 
a new monotone called the residual total correlation that admits 
a simple operational interpretation. Interestingly, for sampling 
with non-trlvial setups (K > 2) in the public discussion model, 
our definition of a monotone region differs from the one by 
Prabhakaran and Prabhakaran (ITW 2012). 

Keywords—assisted common information, monotones, uncondi¬ 
tional security, secure multi-party sampling. 

I. Introduction 

Suppose two parties, Alice and Bob working in distant labs 
have access to a certain set of nonlocal resources (e.g., noisy 
correlations or channels) and wish to simulate or realize the 
functionality of a target resource (e.g., oblivious transfer, a 
noiseless secret key, etc.). Information-theoretic cryptography 
is concerned with the questions of feasibility and efficiency 
or rate of such reductions against computationally-unbounded 
adversaries. Given a set of K parties, we focus on a restricted 
class of resources that takes no inputs from the parties, 
and following the execution of a distributed communication 
protocol over a public discussion channel, generates outputs 
{Ya}a=i '^hat approximately simulates a pre-specified joint 
distribution PYi,...,Yk- The protocol is required to be t-private, 
i.e., any coalition of up to t (< K) honest-but-curious parties 
learns nothing more about the non-coalition parties’ outputs 
than what they can derive from their own set of outputs. The 
problem is an instance of secure multi-party sampling (a form 
of secure multi-party computation with no inputs) that has 
recently gained a lot of currency in the information theory 
literature [l]-[4]. As a simple example, suppose Alice and 
Bob wish to sample pairs of the form, ((Yi,T 2 ) : Pr{Yi = 
T 2 } 7 ^ \)- If they try to generate such a pair by talking to each 
other, they will necessarily end up violating 1-privacy. On the 
other hand, pairs of the form Yi = {Ui,Q),Y 2 = {Q,U 2 ) where 
(7i,C/ 2 ,Q are independent can be generated on the fly. However, 
outside this class of trivial distributions, cryptographically 
useful non-trivial pairs ( 11 , 12 ) cannot be securely realized 
from scratch, i.e., without the aid of an auxiliary setup in the 
form of a trusted source of noisy correlations [l]-[3]. 

The earliest known impossibility result for secure 2-party 
sampling appears in the problem of mental poker [6]. Here two 
distant parties simulate the act of randomly sampling a disjoint 
pair of hands from a common deck of cards without using a 
trusted arbiter. Most relevant to the current work are the works 
on monotones, real-valued functions of joint distributions that 


cannot increase under monopartite or local operations and 
noiseless public communication (LOPC). Monotones were first 
introduced in [5] as classical counterparts of entanglement or 
LOCC (local operations and classical communication) mono- 
tones to study the asymptotic rate of resource conversion under 
LOPC. Such rates are limited by the amount of resources 
contained in the source and target probability distributions. 
Monotones based on Gacs and Korner’s notion of the common 
part of a pair of correlated sources [8] were introduced in [1] 
and later extended to the statistical case in [4]. Comparing the 
value of the monotone on the setup and protocol output random 
variables gives an upper bound on the rate of secure 2-party 
sampling. Prabhakaran and Prabhakaran [2] developed a tighter 
upper bound technique using the concept of a monotone region 
based on assisted common information, a generalization of the 
Gacs-Korner common information [8]. In [3], the same authors 
explored the power of different setups (or its lack thereof) in 
the multi-party scenario for different communication models, 
viz., the private channels model (parties linked via a complete 
network of bilateral secure channels) and the public discussion 
model. A related work on the private channels model [7] gave a 
weak characterization of the class of t-private distributions that 
are securely realizable from scratch, by reducing the problem 
to the 2-party case via a partition argument. 

Contributions. We address both the questions of feasibility 
and efficiency of statistically secure multi-party reductions in 
relation to sampling in the public discussion model. The main 
tool we develop is a generalization of the bivariate monotone 
region introduced in [2]. Our statistical impossibility result 
when specialized to the scenario of perfectly secure sampling 
from scratch, recovers the characterization in [3]. However, for 
the more general problem with non-trivial setups {K > 2), our 
definition of a monotone region differs from the one in [3] and 
can give strictly better bounds on the rates of secure AT-party 
protocols. We also give a new monotone called the residual 
total correlation that admits a simple operational interpretation. 

II. Preliminaries 

Random variables (RVs) and their finite alphabets are 
denoted using uppercase letters X and script letters X. We 
write px to denote the distribution (pmf) of a discrete RV 
X. X — Y — Z denotes that X,Y,Z form a Markov chain 
satisfying pxYZ = PxyPz\y- A\B denotes usual set-theoretic 
subtraction. The total variational distance between distributions 
Px and px' is deflned as Y\l{px,Px') = \ \\px - Px'Wi- For 
a nonnegative real coordinate space K^|., the increasing hull of 
A G is deflned as )(A) = {a G ffi-jj. : 3a' G A s.t. a > a'} 
(where the comparison is coordinate-wise) [2]. 

For a pair {Xi,X 2 ) ~ PXiX^^ lot Vxi.x^ be the set of 
all RVs Q jointly distributed with {Xi,X 2 ). For Pq\XiX-2 ^ 
'Pxi,X2^ (-^ 1 ,-^ 2 ) is said to be perfectly resolvable [2], if 
the residual information I{Xi,X 2 \Q) = 0, and H{Q\Xi) = 


H{Q\X2) = 0. We then say that Qperfectly resolves (Xi,X2). 

Gacs and Korner (GK) [ 8 ] defined common information 
(Cl) of the pair {Xi,X 2 ) ~ PX 1 X 2 as the maximum rate 
of common randomness (CR) that Alice and Bob, observing 
sequences X" and X2 separately, can extract without any 
communication. 

Cgk{Xi;X2) = max H{Q) = max I{XiX2;Q). 

Q:H{Q\Xi )—0 Q—X1—X2 

H{Q\X 2)=0 Q-X2-X1 

CR thus defined, is a far stronger resource than correlation, 
in that the latter does not result in common random bits, in 
general [ 8 ]. Nevertheless, when communication is an available 
resource, Alice and Bob can unlock hidden layers of poten¬ 
tial CR. Following communication, the CR rate increases to 
IiXp,X2). 

Wyner [9] defined Cl as the minimum rate of CR needed 
to generate Xi and X2 separately using local operations 
(independent noisy channels: Q — > Xi,Q X2) and no 
communication. 

Cw{Xi;X2) = ^ min J(XiX2;Q), |Q| < \Xi\\X2\. 

Q:Xi —Q—X2 

The three notions of Cl are related as, Cgk{X i;X 2 ) < 
I{Xi;X 2 ) < Cw{Xi]X 2 ) with equality holding iff {Xi,X 2 ) 
is perfectly resolvable, whence Cgk{X i-,X2) = I{Xi;X2) 
I{Xp,X2)=CwiX,;X2) [ 12 ]. 

Common information duality in relation to the generalized 
Gray-Wyner Network. Consider the generalized Gray-Wyner 
(GW) distributed lossless source coding network [10], [11] 
shown in Fig. 1(a). The network jointly encodes K discrete, 
memoryless correlated sources using a common message and 
K private messages, and separately decodes each private 
message using the common message as side information. Let 
X^ = {Xa}aGA be a AT-tuple of RVs ranging over finite sets 
Xa where A is an index set of size K. 


Theorem 1 ([11]). The optimal rate region IftGwiX^) for the 
generalized GW network is given by 

( {{Ra}a=l^^o) C G Rxai 

^GwiXj\^} = < s.t. Ro > I{Xa;Q), 

[ Ra>H{Xa\Q)yaeA, 


where Vxa of all conditional pmfs Pq\Xa 

cardinality of the alphabet Q of the auxiliary RV Q is bounded 

as\Q\<Y{LM+2. 


A trivial lower bound to fiGw{,Xjf) follows from basic 
information-theoretic considerations [ 10 ]. 

^Gw{Xjf) C 2 ,gw{X^) 

( (RajRq) ■ Rq + Ra ^ H{Xa) Va G .A,'] 


R[) 


Ra>H{XA) 

< ^ n.— \ 


Existing notions of Cl can be viewed as extreme points 
for the corresponding common rate Rq in the GW network 
(for a: = 2 see Problem 16.28-16.30, pg. 394 in [12]). 
For the generalized GW network, the Cl duality is explicit 
when considering the complementary efficiency requirements 
of the first and second rate bundlings shown in Fig. 1(a). The 
inefficiency is manifest in the gap between ^GwiXA) and the 
lower bound Zgw{Xa)- 




Fig. 1. (a) The generalized Gray-Wyner distributed source coding network 

(b) The generalized assisted common information setup 


When the sum-rate into each decoder (second bundling) is 
efficient (i.e., Rq + Ra = H{Xa), Va G .4,), the maximum 
common rate is Cgk(Xi;...;Xk) with the inefficiency in the 
first bundling being given by 

Ai = Ao + Ra-HiXA) 

= H{Xa\Q) - H{Xa\Q) = IiX,;...;XK\Q) (1) 

where the quantity, I{Xi;...;Xk) is the total correlation [5] 
and is defined as I{Xi;...;Xk) = J2a=i^i^o.) - H{Xa) = 

When the sum-rate out of the K encoders (first bundling) 
is efficient (i.e., Rq + ~ H{Xa ))7 the minimum 

common rate is Cw(.Xi;...;Xk) with the inefficiency in the 
second bundling being given by 

A2 = V'^ iRQ+Ra-H{Xa)) 

= Y!" {I{Xa-,Q) + H[Xa\Q) - H{Xa)) 

-E"" , I{XA\a\Q\Xa) = Y"" , (2) 

where A 2 a = I{XA\a':Q\Xa) captures the inefficiency of 
the a-th decoder and (a) follows from writing I{Xa',Q) as 
I{XA\t;Q) + HXi,;Q\XA\b) = IiXa;Q) + IiXA\ab;Q\Xa) + 
I{Xi,-,Q\XA\b) = I{Xa;Q) + IiXA\a;Q\Xa). Ai and A 2 are 
functions from Vxa In particular for K = 2, the 

inefficiencies in the first and second bundlings are given by 

Ai = I {Xi]X2\Q) 

A 2 = A 21 + A 22 = I{X2;Q\Xi) + I{Xp,Q\X2) (3) 


Maximum efficiency of the first bundling occurs when 
A 2 = 0, i.e., Q — Xa — A_4\£j,Va G A. Similarly, maximum 
efficiency of the second bundling occurs when Ai = 0 , i.e., 
Xi — Q — Xj, i 7 ^ j, Vz,j G A. It is easy to see that. 


min Ai 
A 2=0 


min 

Q-X^-XA\aNa&A 


IiXp,...-,XK\Q) 























= I{Xi;...;Xk) - max I{Xi;...;Xk\Q) 

VaGX 

= I{Xi;...;Xk) - Ccif (4) 

E k 

I(X a\„:Q\X„) 

“=i ^ ^ 

Vi,j&A 

= min ^ I{Xi...Xk;Q)-I{Xi;...;Xk) 

= Cw{Xi;...;Xk) - I{Xi;...;Xk) (5) 

Clearly, Cgk(Xi;...;Xk) = I{Xi;...;Xk) ^ 

= Cw{Xi]...]Xk)- 

It is interesting to note that, recently Prabhakaran and 
Prabhakaran [2] have introduced a rate region for a 3- 
party communication problem called the assisted residual 
information region, ‘I{Xi;X 2 ), which is the increasing hull 
of the set of all triples of the form (A 2 i,A 22 ,Ai) = 
(/(A 2 ;Q|Ai),/(Ai;Q|A 2 ),/(Ai;A 2 |Q)). T enjoys a certain 
monotonicity property lacking in the original GW region. From 
(3), it follows that S'(Ai;A 2 ) is the image of 5ftGtV'(2fi;A2) 
under an affine map that computes the inefficiencies of the 
first and second bundlings. Thus, 'r(Ai;A 2 ) formalizes the 
complementary efficiency requirements in terms of a rate- 
information trade-off region. Maximum efficiency occurs when 
‘r(Ai;A 2 ) includes the origin, which occurs when (Ai,A 2 ) is 
perfectly resolvable. At all other instances when the common 
core Q fails to completely resolve the dependence between 
(Ai,A 2 ), A(Ai;A 2 ) is bounded away from the origin [2]. 

III. Main contributions 

A. The Generalized Assisted Residual Information Region 
Consider the setup in Fig. 1(b). Let Xj\ = {Xa}aGA be 
a Ff-tuple of RVs ranging over finite sets Xa, where A is 
an index set of size K and let be a sequence of 

independent copies ^ = {Xa,i}aGA of ^A drawn i.i.d. 
~ PXa- ^ terminals independently having access to one of 
the K components of such a source are required to produce 
RVs {Wa}a^A that must all agree with each other with high 
probability. An omniscient genie G having access to assists 
the terminals by privately sending them rate-limited messages 
a C -4 over noiseless links so that the 
terminals can independently compute Wa = g^iXf ,Ma), 
a € A. We say that a A-tuple of rates enables 

residual information rate Rq > 0 for A _4 if for every e > 0 
and n sufficiently large, there exists deterministic mappings: 

/” : A” X ... X A” ^ a e A, 

p^A,"x{l,...,2"(«“+^)}^Z, asA, 
where Z is the set of integers, s.t. Vi,j,a € A 

PiigXXX M,) ^ 5^"(a;, M,)} <e,tf j, 
i/(Ar;...;A]^|ff:(A:, M,)) < Ro + e. 

Definition 1. The {K + 1)-dimensional assisted residual in¬ 
formation (ARI) rate region is defined as follows. 

T(A^) = : {Ra\Xi enables residual 

information rate Rq for A_ 4 }. 

Denoting by Vx^ as the set of all conditional pmfs 
s.t. the cardinality of the alphabet Q of Q is bounded as |Q| < 
n^i l‘4’o| +2, the boundary of T(A_ 4 ) is made up of (A + 1)- 


tuples of the form ({A 2 a}og^,Ai), and the rate region has 
the following characterization. 

Theorem 2 (Generalized (A-l-l)-dimensional assisted residual 
information region). 

re : 3pQix^ e Vx^, 
T(A^) = s.t. Ro > Y.t~i^IiXi...Xf,Xi+i\Q) = Ai, 

[ Ra > I{X_A\a;Q\Xa) = A2a, Vo £ A, 

Also, T(A_4) is continuous, convex, and closed. 


We sketch the proof of Theorem 2 in the Appendix. 
Corollary 3 follows from Theorem 2, (4), and (5) to yield 
the following expressions for the generalized Gacs-Korner Cl 
and Wyner Cl in terms of the ARI region. 

Corollary 3. 

Cgk{Xi;...;Xk) = I{Xi;...;Xk) — min Rq, 

(o,...,o,Ro)ei{XA) 

Cw{Xi;...;Xk) = I{Xp,...;Xk) + min Ra. 


The following theorem (proven in the Appendix) gives the 
axes intercepts of the {K -f l)-dimensional ARI region. 

Theorem 4 (Axes intercepts of the boundary of T(A^)). 

AifXXi;...;XK) = mmiRa : (0,...,i?a,...,0) € T(A^)} 

= min H{Q\Xa) 

Q-. H{Q\Xi,)=0 Vb G A\a. I{Xi-,.---,Xk\Q)=0 


AX{Xp,...;Xk) = mm{Ro : iO,...fi,Ro) € T(A^)} 


min 

Q: H{Q\Xa)^0 ya^A 


I{X^-...-Xk\Q) 


B. Monotone Regions for Secure K-party Sampling with Pub¬ 
lic Discussion 

We establish the monotonicity properties of T, which by 
virtue of being continuous and convex allows for deriving 
tight outer bounds on the rate of statistically secure sampling 
for the general A-party problem with setups. It is well- 
known that cryptographically useful non-trivial distributions 
cannot be securely realized from scratch, i.e., without the 
aid of an auxiliary setup of correlated randomness [3], [7]. 
Trusted pre-shared noisy correlations is a simple yet powerful 
cryptographic resource that takes no inputs from the parties, 
and generates samples of a given joint distribution, with party- 
i given access to copies of the i-th variable. Access to such 
a setup is known to realize 2-party sampling [2], as well as 
other important primitives like bit commitment and oblivious 
transfer [1], [4] in an unconditionally secure way. In light 
of the resource character of noisy correlations in enabling 
such reductions (which are otherwise impossible to realize 
from scratch), abstracting and quantifying such resources is 
of interest. A resource is specified by a restriction, £ on the 
full set of realizable operations. Given £, states that cannot 
be created by means of £ naturally acquire some value and 
become a resource. When distant parties wish to securely 
sample RVs by manipulating a given joint distribution, it is nat¬ 
ural to restrict attention to the class of LOPC operations. The 
resourcefulness or cryptographic content of the distribution is 
a nonlocal property that cannot increase under LOPC, and can 
be quantified using monotones. Monotones for secure A-party 
sampling are real-valued quantities that can never increase in 



any protocol that securely realizes a X-tuple of correlated RVs 

using a setup X_/i. As we shall see, the entire region T is 
a monotone and T(Y^) can be interpreted as a witness of the 
cryptographically trivial nature of Yx- can be perfectly 
securely realized from scratch, iff T(Y 4 ) contains the origin. 
The closer Y _4 is to the origin, the lesser cryptographic content 
it has. Conversely, the lesser T(Yx) bulges towards the origin, 
the more cryptographic content it has. 

Consider the following simplified description of the semi- 
honest model for secure AT-party sampling [3], [7]. A set of K 
parties engage in an interactive (randomized) communication 
protocol If over a public discussion channel to accomplish 
the distributed approximate simulation of a prescribed joint 
distribution . The parties have access to an auxiliary setup; 
independent copies of jointly distributed RVs X_a ~ with 
party-a independently having access to copies of Xa as well 
as an infinite stream of private randomness. The protocol pro¬ 
ceeds in rounds, where in each round each party flips private 
coins, and based on the messages exchanged so far, sends 
a message over a broadcast public communication channel 
to all the other parties. At the end of the protocol, party-a 
generates output Y^ as a function of its view (encapsulated in 
the RV Va), which consists of copies of its setup RV Xa, all 
the private coins flipped so far, and all the communication 
received over all the previous rounds. Interfering with the 
interaction is a semi-honest t-adversary who may choose to 
“passively corrupt” a set T (C .4) of at most t {< K) parties, 
and learn their internal states. Compared to perfect reductions, 
statistical implementations are much more efficient [4]. The 
privacy and correctness requirements [3], [7] for statistically 
secure reductions can be stated as follows. 

Definition 2. For e, 6 >0, a protocol 11 is (6,t)-private if the 
information leakage of the final views of the corrupted parties 
(Vj-) satisfies 

E HVt-XxtIYt) < s. 

rGA:\T\<t 

The protocol is e-correct if TV (py^ jPya ) — Perfect privacy 
and correctness correspond to 6 = 0 and e = 0, respectively. 

{6,t)-privacy implies that any coalition of up to t (< K) 
parties who are honest but “curious” and leak their entire final 
views, learns nothing more about the non-coalition parties 
outputs than what they can derive from their own set of 
outputs. As the views of the parties evolve along any LOPC 
protocol, the region of residual total dependency of the views 
can never shrink (away from the origin) [2]. Thus, if 11 securely 
realizes Y^ using a setup T(X^) should be contained 
within T(Y 4 ). Definition 3 makes this precise. 

Definition 3. Let A4 be a function that maps the K-tuple of 
RVs Xjx to a subset s.t. if a € M and a' > a, then 

a' G Af. Ai is a monotone region if the following hold: 

1) Monotonicity under local operations (LO): Suppose party-i 
modifies Xi to Z by sending Xi over a channel, characterized 
by Pz\Xi- Then A4 cannot shrink, i.e., for all jointly distributed 
RVs {X_/^,Z) with Xx\i ~ Ai — Z, Ai{^Xi\...',XiZ',...',XK) 2 
M{Xy,...;Xy,...;Xk). 

2) Monotonicity under public communication (PC): Suppose 
party-i publicly announces the value of Xi. Then A4 cannot 
shrink, i.e., for all jointly distributed RVs (X_ 4 ,Xi) with 


H{X,\Xi) = 0, M(X,Xi;...;X,X,_i;X,;X,X,+i;...;X,Xk) 
3 M{Xy,...-Xx..-Xk). 

3) Monotonicity under statistically secure sampling: Sup¬ 
pose, a subset T of the parties are “passively corrupted” 
who retain and share their views (encapsulated in the 
RV V-J-) in an attempt to infer additional information on 
the outputs of the non-coalition parties. W.l.o.g. let Y = 

m}, where m < t. For all jointly distributed RVs 
(Y^,Vp) and dp > 0, for each such T (C A) if 

I{VTfXA\T\yT) < 5r, then M{Yy,...-YxY^+V...-,Yk) 2 
Ad(fYiVi\...]YrnVm',Ym+i]---]YK) + 5p, i.e., statistically se¬ 
curely sampled outputs do not have a much smaller region. 

4) Additivity: Ai supports coordinate-wise Minkowski addition 
for tensor products and is superadditive in general. 

5) Continuity, Convexity and Closure: Ai is a continuous 
function of the joint pmf px^. Also A4 is convex and closed. 

Theorem 5. T is a (K -\-1)-dimensional monotone region. 

Proof: The following monotonicity inequality is useful: 
I(X-Y\f{X)Z) < I{X-Y\Z). 

1) For the joint pmf px^zQ = PXxPz\XiPQ\Xx^ monotonicity 
under LO holds since, 

A2. : I(Xx^;Q\x^z) = IiXxi;Q\x^), 

A2, : IiXxjZ;Q\X,) = 
jAi 

Ai : I(Xy,...;Xk-i;XkZ\Q)=I(Xi;...;Xk\Q), 

i=K 

where (a) follows from choosing i = K and using the recur- 
rence relation Af (Xi;...;XK|(5)=Af“\X i;...;Xk_i|( 3) -f 
I{Xk',Xi...Xk-i\Q). Since Ai is symmetric in all Xfs, this 
holds for all parties. 

2) For the joint pmf Px^XiQ = PZAPxi\XiPQ\ZA^ monotonic¬ 
ity under PC holds since, 

A2i : I{XxiX^■.QX^\X^) = I{Xx^\Q\Xi), 

A2, : I{XxjXp,QX,\X,Xi) < I{XxfQ\Xj), 
jAi 

Ai :/(Xi;XiX2;...;XiXk|XiQ) 

K-1 

= I{Xi;XiX2\XfQ) + ^/(AiAi...A,;XiA,+i|XiQ) 

< /(Xi;X2|Q) + HXi...Xf,Xj+i\Q) 

= IiXY,...;XK\Q), 

where we have chosen i = \. Since Ai is a symmetric quantity, 
this holds for all i. 

3) For any Pgip^vv ^ ^YaVt’ uionotonicity under statistically 
secure sampling easily holds for Ai. For the coordinates 
{X 2 ^}i^r, if f(fV;4U\r|4r) < Sp, we have 

A2* : IiVp\iYA\^;Q\V^^) = IiVp\iYp\^YA\p;Q\V^Y,) 
i&T 

= IiYA\T;Q\VpYp) + /(YrvYVv;Q|Y,Y)) 

> iiYA\T;Q\VTYp) 

= IiYA\T;QVp\Yp) - I{Vp;Ya\p\Yp) 

> IiYA\T;Q\YT) - I{Vp;Yxp\Yp) 

^ iiYA\T;Q\Yp) < IiVp\,YA\^;Q\v^Yi) + 6p. 



For < I{VrY,,\,-Q\%) + ^r- 

4) Additivity on tensor products and more generally superad¬ 
ditivity follows using arguments very similar to the ones for 
the K = 2 case [2]. 

5) Continuity and closure follow from Theorem 2. Convexity 
follows from arguments similar to the K = 2 case (see 
Theorem 2.4 and 2.5 in [2]). 

■ 

Our generalization yields an interesting quantity (see The¬ 
orem 4), A“*(Ti;...;y/f) which we call the residual total 
correlation. Total correlation, I{Yi;...;Yk) is a natural gen¬ 
eralization of the mutual information in the multipartite case 
[5] that admits a simple operational interpretation: if parties 
in distant labs who share a noisy correlation (pya) choose to 
forget all correlations between them by locally processing Yi in 
their labs (e.g., sending Yi through a channel that completely 
randomizes it), then total correlation is the minimum increase 
of entropy of the local uncorrelated labs. Total correlation is a 
monotone [5] as is its residual counterpart. The latter follows 
from Theorem 4 and Theorem 5 since is the GK axis 
intercept of the boundary of ^{Yj\) that measures the gap 
between total correlation and GK Cl (see (4)). Condition (3) in 
Definition 3 implies (among other things), the following data 
processing inequality for A™*: the residual total correlation 
can never increase under any secure mapping from views to 
outputs. Analogous to the case for K = 2 [1], we can state 
the following result for t = 1, the weakest form of t-privacy. 

Proposition 6. For all jointly distributed RVs (Yj^yjf), if Vi — 
Yi-YjY,,, then /Yf\YY...-YK) < yf\ViYr,...-VKYK). 

The most important consequence of Theorem 5 is that T 
can be used to derive the impossibility of sampling F 4 from 
with e-correctness and (6,t)-privacy —unless and until 
T(A^) C 5i(Yy, such reductions are impossible. Further¬ 
more, by virtue of the continuity and convexity of T, one can 
derive an upper bound on the rate of such reductions. We prove 
a milder version of the above statement in Corollary 7. An 
analogous statement for the rate requires invoking arguments 
related to the convexity of the monotone region which we skip. 
The details are similar to the argument in [2]. 

Corollary 7. If m i.i.d copies of Yj^ can be statistically 
securely realized from n i.i.d copies of X^, then n%{XX) C 
mfZ{Yjf), (where multiplication by n refers to n-times repeated 
Minkowski sum). 

Proof (sketch): Let the RV encapsulate the view of 
the parties at the end of round r. Let = Xj^ and let the 
final view be L 4 . Then the proof follows from Theorem 5 by 
noting the following. By Condition (1) and (2) of Definition 
3, T(v;^) D By Condition (3), ‘r(yj) A ^(lAt). 

Thus, T(TX) A T(X^). Finally, by Condition (4), the 
required inclusion holds. ■ 

Given Pq\Ya ^ '^^e set of all t-private distributions 

that can be sampled from scratch with perfect correctness and 
privacy, are characterized by the following conditions: 

A 2 . = l{Y_^v;Q\Y) = 0, Vi e At (6) 

Ai = i(Yy,...-,Yk\Q) = = o (7) 

t-privacy follows from ( 6 ), (7) since A 2 i = I{Y_A.\i]Q\Yi) = 


0, Vi G ^ ^ i{Yjy,t-,Q\Yt) = 0, vr c a |T| < f 

and Ai = = 0 ^ = 

0, Va G Al ^ I{Yj^\T\Yr\Q) = 0, vr C A IT"! < t. 

A 2iT-dimensional characterization for the iV-variate 
monotone region, was given in [3] (see Theorem 3 in 
[3]), by further decomposing the residual total dependency, 
Ai into K components, viz., 

cr2K:Y \ = /({^n,{^* 2 }*^=l) : ^PQ\Xa s4.Vi G Al, 

^ > IiY^\i;Y\Q),y, > 

For independent setups, both and T yield the same 
characterization of the t-private distributions realizable from 
scratch. With non-trivial setups [K > 2), T can give strictly 
tighter bounds (than T^*^) on the rates of secure AT-party 
protocols. This follows from noting that whenever the common 
core g fails to completely resolve the dependence between Y_a, 
any decomposition of Ai of the form |g) is 

bound to induce some redundant mutual information terms. 
Theorem 8 gives sufficient conditions for the statistical case. 

Theorem 8 . A K-tuple of RVs Y^ ~ pya con be sampled from 
scratch with e-correctness and (6,t)-privacy, if there exists a 
RV Q, jointly distributed with ^-t. the following hold: 

< e (8) 

E HYa\t;Q\Yt) < S (9) 

T<iA-.\r\<t 

I{Y_^yY\Q) = 0, Va e A (10) 

Proof: Consider the following protocol fig satisfying 
conditions ( 8 )-( 10 ). Party-i samples Ui = (Yi,Q) and publicly 
discloses the value of Q, following which, each {party-j}jg^\i 
independently samples Uj by flipping their private coins us¬ 
ing Py ^q conditioned on the received Q. Then, from (10) 

it follows that Yj are independent given Q which implies 
Ya ^ Pya' given ( 8 ), e-correctness follows. 

To show (5,0-privacy, first note that 77(LA\rl^TQ) 

= H{Y^\r\Q) = H{Y^\r\QUT) = 

where (a) follows from ( 10 ), (b) follows from noting that 
I{Ya\T'iUt\Q) = 0 , and (c) follows since Yp is a determin¬ 
istic function of {Up,Q). Then 

IiYA\T;Q\YT) = H(Y^\r\YT) - HiYA\T\YTQ) 

= H{Y^\r\YT) - H{Y^\r\QUrYT) 

= HYA\T;QUr\YT) 

(d) - (®) 

=liY^\T;VT\Yr)<6, 

where (d) follows since the view Vp comprises of private 
randomness Up and Q, the sole message broadcast by party-i 
at the start of the protocol, and (e) follows from (9). Then 
from Definition 2, it follows that Ifg is (5,0-private. ■ 

In [13], monotone region for a channel-type model (K = 2) 
was defined under a restriction to the A 21 = 0 plane to derive 
upper bounds on the oblivious transfer capacity. Equivalent 
generalizations for multiuser channels using pairwise setups 
are of interest. Another observation of independent interest is 
that recently, the Hypercontractivity (HC) ribbon, a tensorizing 
measure of correlation [14], was derived as a dual of the GW 
region [15]. Both the HC ribbon and ARI region behave mono- 



tonically under local stochastic evolution and are measures of 
nonlocal correlation. We leave as an open question as to how 
these regions might be related. 
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Appendix 

Proof (sketch) for Theorem 2: The proof for achievability 
which is based on a generalized lossy source coding problem 
(for K variables) follows similar lines as in [2] and is omitted 
in the interest of space. The converse follows by minor 
modifications from the K = 2 case [2] and is provided here 
for completeness. 

n{Ra + e)> H{Ma) > H{Ma\X^) > 

> I{Y:;Wa\X:), 

-E” H{YJXJ - H{YjWaY:-^X:) 

= nI{Yaj\Qj\XajJ), e {l,...,n}, 

where (a) follows from the independence of the AT-tuple 
= {Va ,i}aGA across i. In (b), J G {l,...,n} is a 



Fig. 2. Denoting the /-Measure of RV Q by /i*, the only atom on which 
gL* is nonvanishing is shown in the /-Diagram for the coordinate A 21 on the 
boundary of T(A'i;X' 2 ;X' 3 ) 


uniformly distributed RV independent of X'^ and (c) follows 
from the independence of J and Xf^. 

= nI{X^j]...]Xj^j\Q). 

The converse follows, since (X^j,...,Xj^j) has the same 
distribution as {X^,...,Xj^). The cardinality bound on Q can 
be shown using the Carathodory-Fenchel theorem [12, p. 310]. 
The boundary of T(X^) is thus made up of (K + l)-tuples of 
the form = ({^ 2 a}ag^,Ai), where is a continuous 
function from Vxa where Vxa compact (i.e., 

closed and bounded). Since the image of a compact set under 
a continuous function is compact, {Am ■ Pq\Xa ^ 
compact. Moreover, since the increasing hull of a compact set 
is closed (see Lemma A.3, [2]), T is closed. Convexity of T 
follows from arguments similar to the K = 2 case [2]. ■ 


Proof (sketch) for Theorem 4: First note that T(A^) 
intersects each of the (K + 1) axes, since any AT-tuple of 
coordinates can be made simultaneously zero by choosing an 
appropriate Q. The case for K = 2 was already shown in [2]. 
For the intercept A^'f (Ai;A 2 ;A 3 ), 


A 


int 

21 


inf 

/(X3Xi;Q|X2)=0 

/(XiX2;Q|X3)=0 

/(Xi;X2|Q)+/(XiX2;X3|Q)=0 


/(A2A3;Q|Ai) 


< 


inf 

iT(Q|X2)=iT(Q|X3)=0 

/(Xi;X2|Q)+/(XiX2;X3|Q)=0 


H{Q\Xr), 


since if H{Q\X 2 ) = H{Q\X 3 ) = 0, then I{X^Xi-Q\X 2 ) = 
/(AiA 2 ;Q|A 3 ) = 0 and I(X 2 X^-Q\Xi) = H{Q\Xi). For 
the converse, we want to show LHS > RHS. This holds, since 
if /(A 3 Ai;Q|A 2 ) = /(AiA 2 ;Q|A 3 ) = 0, then H{Q\X 2 ) 
= H(Q\X 3 ) = 0 and I{X 2 X 3 -Q\Xf) = H(Q\Xi). 

In fact, under the given constraints, denoting the /-Measure 
of RV <5 by /i*, the only atom on which fj,* is nonvan¬ 
ishing for both I(X 2 X 3 ]Q\Xi) and H{Q\Xi), is the one 
shown in the /-Diagram in Fig. 2. It may be noted that for 
K = 2, the proof for the converse is not trivial (see Lemma 
A.l, A.2 and the proof of Theorem 2.2 in [2]), since given 
I(Xi]Q\X 2 ) = I(Xi]X 2 \Q) = 0, it does not trivially follow 
that I{X 2 ;Q\Xi) > H(Q\Xi). However, just as shown above 
for K = 3, for K > 3 onwards, p* is vanishing on all but 
one atom, which trivially then yields the converse. Similar 
arguments hold for all the other coordinates and for any general 
K. Finally the use of min instead of inf in the statement of 
the theorem is valid since ‘I(X^) is closed. ■ 


